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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Q1 Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[] Yes 


X No 


Q2 If not, please specify where improvements could be made. 


The Code is accessible to experienced data protection professionals; 
individuals new to data sharing and data protection may find it difficult 
to digest and understand what controls may be necessary. 


The Law Enforcement section (p63) is difficult to understand and 
requires simplified language and more definitive straightforward 
examples: language such as 'Assuming the shopkeeper had a lawful 
basis for the processing, she could rely on Schedule 1, paragraph 10 to 
process the CCTV data' is both confusing and not sufficiently clear. 
Providing information to police for the investigation of crime should not 
be something that organisations feel unable to do. This code needs to 
provide confidence that a common sense approach often works best, 
and use common place examples to illustrate the point. 


If references to particular sections of the legislation and/or controls are 
necessary, this could be done in a consistent fashion. See suggestion for 
Annex D in Q10. 


1CO. 


Information Commissioner's Office 


Much of the document highlights that consent documents will be 
required for accountability purposes. To ensure that organisations 
consider all the conditions of processing, this advice should include the 
caveat ‘as required’. Failure to make this clear will perpetuate the 
practice of over reliance on consent for data sharing, and an 
expectation that individuals have more control in certain circumstances 
than they actually do. 


Q3 Does the draft code cover the right issues about data sharing? 


X Yes 


[] No 


Q4 If no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 


[] Yes 


X No 


Q6 If no, in what areas should there be more detail within the draft 
code? 
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Examples need to be provided in the ‘Other legal requirements’ section 
(p57). Further consideration should also be given to the statement that 
compliance with data protection legislation will likely comply with the 
Human Rights Act. The Supreme Court judgement in relation to the 
Children & Young People (Scotland) Act found the opposite, and the 
issues in relation to that sharing are still not resolved. It would be 
useful if the Code could address the additional requirements the HRA 
places upon public authorities. 


Moreover, examples also need to be provided in relation to data sharing 
and children. School apps, and Pupil Support meetings may be good 
examples to use. 


Q7  Hasthe draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation's data sharing practices? 


[] Yes 


X No 


Q8 If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


As above, as a public authority, we will engage in data sharing practices 
where a number of conditions of processing may be relevant. It would 
be helpful if the code could emphasise that partners may operate under 
different lawful conditions, and advise on how to manage that in 
practice. 


The explanations around sharing data with a competent authority (p64) 
is confusing. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[] Yes 


X No 
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Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


Data sharing in an urgent situation or in an emergency (p80) appears to 
focus upon steps which might be taken by organisations to manage 
resilience situations. Equal consideration and guidance should be given 
in this section to sharing data in a ‘one-off’ emergency situation e.g. 
assisting police in a missing person investigation, emergency contact to 
NHS for employee taken to hospital. It might be helpful if examples 
included the one-off situation as well as large scale sharing. 


In addition, sharing relevant, necessary and proportionate information 
in emergency situations is not given sufficiently affirmative language. 
The Misconceptions highlighted on p13 will not be countered by ‘Not 
always’ and ‘You may be able to do so’. This requires greater direction 
acknowledging that sharing can happen without a person’s consent if 
you have an alternative lawful basis for doing so; and, in an emergency, 
you should do whatever is necessary and proportionate. It would also 
be useful to emphasise within the code that documenting your decision- 
making process is essential. 


Lawful basis for sharing personal data could benefit from a greater 
inclusion of restrictions provided by DPA2018 e.g. prevention and 
detection of crime throughout the code and not just within the LED 
section. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


X Yes 


[] No 


Q12  Ifno, in what way does the draft code fail to strike this balance? 
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Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


X Yes 


[] No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


It would be useful to have a broader selection of examples throughout 

the document. In particular, many of the examples appear to focus on 
sharing arrangements which will fall under public task and this may not 
be applicable to many organisations using the code. 


It would be helpful to provide examples of occasions where data will be 
shared under other conditions of processing e.g. vital interests, consent, 
contract, legitimate interests; and, indeed, when a number of parties 
might come together to share data in the same forum but will have 
different conditions of processing e.g. Team around a child meeting - 
School, NHS, and Police may attend as part of their public task; 
Women's Aid may attend with consent for advocacy support. 


The case studies in Annex D are useful, but their presentation is slightly 
confused. It would be helpful if all these examples could be presented 
in a similar format but also highlight the lawful basis and good practice 
controls which would be associated with them. This will help to 
illustrate what actions organisations can take to achieve compliant 
practices and accountability, and allow them to apply them to their own 
situations. For example: 

Supermarket loyalty scheme: Lawful basis - Contract; Expected 
controls - Privacy Notice 

Credit Reference Agency: Lawful basis - Contract; Expected controls - 
Privacy Notice, Contract clauses or Data sharing agreement. 
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Public Sector bodies sharing for co-ordinated approach: Lawful basis - 
Public task; Expected controls - Privacy notice, Data Sharing 
Agreement, DPIA. 


The Annex would also benefit from examples where data is shared 
under a restriction e.g. the CCTV example referenced earlier in the code 
CCTV request from police: Lawful basis - DPA2018 Restriction - 
prevention & detection of crime; Expected controls - Written request, 
Privacy notice. 


Perhaps the above could be produced in a tabular format with ticks for 
ease of reference, and to reinforce the different ways accountability can 
be achieved. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 
Agree 


Cg o O 


Neither agree nor disagree 


Disagree 


O O 


Strongly disagree 
Q16 Are you answering as: 


[] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


[] An individual acting in a professional capacity 


X On behalf of an organisation 


[] Other 


Please specify the name of your organisation: 


City of Edinburgh Council 


Thank you for taking the time to share your views and experience. 
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